security_events.c 9.4 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287
  1. /*
  2. * Asterisk -- An open source telephony toolkit.
  3. *
  4. * Copyright (C) 2013, Digium, Inc.
  5. *
  6. * Joshua Colp <jcolp@digium.com>
  7. *
  8. * See http://www.asterisk.org for more information about
  9. * the Asterisk project. Please do not directly contact
  10. * any of the maintainers of this project for assistance;
  11. * the project provides a web site, mailing lists and IRC
  12. * channels for your use.
  13. *
  14. * This program is free software, distributed under the terms of
  15. * the GNU General Public License Version 2. See the LICENSE file
  16. * at the top of the source tree.
  17. */
  18. /*!
  19. * \file
  20. *
  21. * \brief Generate security events in the PJSIP channel
  22. *
  23. * \author Joshua Colp <jcolp@digium.com>
  24. */
  25. #include "asterisk.h"
  26. ASTERISK_FILE_VERSION(__FILE__, "$Revision$")
  27. #include <pjsip.h>
  28. #include "asterisk/res_pjsip.h"
  29. #include "asterisk/security_events.h"
  30. static enum ast_transport security_event_get_transport(pjsip_rx_data *rdata)
  31. {
  32. if (rdata->tp_info.transport->key.type == PJSIP_TRANSPORT_UDP ||
  33. rdata->tp_info.transport->key.type == PJSIP_TRANSPORT_UDP6) {
  34. return AST_TRANSPORT_UDP;
  35. } else if (rdata->tp_info.transport->key.type == PJSIP_TRANSPORT_TCP ||
  36. rdata->tp_info.transport->key.type == PJSIP_TRANSPORT_TCP6) {
  37. return AST_TRANSPORT_TCP;
  38. } else if (rdata->tp_info.transport->key.type == PJSIP_TRANSPORT_TLS ||
  39. rdata->tp_info.transport->key.type == PJSIP_TRANSPORT_TLS6) {
  40. return AST_TRANSPORT_TLS;
  41. } else if (!strcmp(rdata->tp_info.transport->type_name, "WS")) {
  42. return AST_TRANSPORT_WS;
  43. } else if (!strcmp(rdata->tp_info.transport->type_name, "WSS")) {
  44. return AST_TRANSPORT_WSS;
  45. } else {
  46. return 0;
  47. }
  48. }
  49. static void security_event_populate(pjsip_rx_data *rdata, char *call_id, size_t call_id_size, struct ast_sockaddr *local, struct ast_sockaddr *remote)
  50. {
  51. char host[NI_MAXHOST];
  52. ast_copy_pj_str(call_id, &rdata->msg_info.cid->id, call_id_size);
  53. ast_copy_pj_str(host, &rdata->tp_info.transport->local_name.host, sizeof(host));
  54. ast_sockaddr_parse(local, host, PARSE_PORT_FORBID);
  55. ast_sockaddr_set_port(local, rdata->tp_info.transport->local_name.port);
  56. ast_sockaddr_parse(remote, rdata->pkt_info.src_name, PARSE_PORT_FORBID);
  57. ast_sockaddr_set_port(remote, rdata->pkt_info.src_port);
  58. }
  59. static const char *get_account_id(struct ast_sip_endpoint *endpoint)
  60. {
  61. RAII_VAR(struct ast_sip_endpoint *, artificial, ast_sip_get_artificial_endpoint(), ao2_cleanup);
  62. return endpoint == artificial ? "<unknown>" : ast_sorcery_object_get_id(endpoint);
  63. }
  64. void ast_sip_report_invalid_endpoint(const char *name, pjsip_rx_data *rdata)
  65. {
  66. enum ast_transport transport = security_event_get_transport(rdata);
  67. char call_id[pj_strlen(&rdata->msg_info.cid->id) + 1];
  68. struct ast_sockaddr local, remote;
  69. struct ast_security_event_inval_acct_id inval_acct_id = {
  70. .common.event_type = AST_SECURITY_EVENT_INVAL_ACCT_ID,
  71. .common.version = AST_SECURITY_EVENT_INVAL_ACCT_ID_VERSION,
  72. .common.service = "PJSIP",
  73. .common.account_id = name,
  74. .common.local_addr = {
  75. .addr = &local,
  76. .transport = transport,
  77. },
  78. .common.remote_addr = {
  79. .addr = &remote,
  80. .transport = transport,
  81. },
  82. .common.session_id = call_id,
  83. };
  84. security_event_populate(rdata, call_id, sizeof(call_id), &local, &remote);
  85. ast_security_event_report(AST_SEC_EVT(&inval_acct_id));
  86. }
  87. void ast_sip_report_failed_acl(struct ast_sip_endpoint *endpoint, pjsip_rx_data *rdata, const char *name)
  88. {
  89. enum ast_transport transport = security_event_get_transport(rdata);
  90. char call_id[pj_strlen(&rdata->msg_info.cid->id) + 1];
  91. struct ast_sockaddr local, remote;
  92. struct ast_security_event_failed_acl failed_acl_event = {
  93. .common.event_type = AST_SECURITY_EVENT_FAILED_ACL,
  94. .common.version = AST_SECURITY_EVENT_FAILED_ACL_VERSION,
  95. .common.service = "PJSIP",
  96. .common.account_id = get_account_id(endpoint),
  97. .common.local_addr = {
  98. .addr = &local,
  99. .transport = transport,
  100. },
  101. .common.remote_addr = {
  102. .addr = &remote,
  103. .transport = transport,
  104. },
  105. .common.session_id = call_id,
  106. .acl_name = name,
  107. };
  108. security_event_populate(rdata, call_id, sizeof(call_id), &local, &remote);
  109. ast_security_event_report(AST_SEC_EVT(&failed_acl_event));
  110. }
  111. void ast_sip_report_auth_failed_challenge_response(struct ast_sip_endpoint *endpoint, pjsip_rx_data *rdata)
  112. {
  113. pjsip_authorization_hdr *auth = pjsip_msg_find_hdr(rdata->msg_info.msg, PJSIP_H_AUTHORIZATION, NULL);
  114. enum ast_transport transport = security_event_get_transport(rdata);
  115. char call_id[pj_strlen(&rdata->msg_info.cid->id) + 1];
  116. char nonce[64] = "", response[256] = "";
  117. struct ast_sockaddr local, remote;
  118. struct ast_security_event_chal_resp_failed chal_resp_failed = {
  119. .common.event_type = AST_SECURITY_EVENT_CHAL_RESP_FAILED,
  120. .common.version = AST_SECURITY_EVENT_CHAL_RESP_FAILED_VERSION,
  121. .common.service = "PJSIP",
  122. .common.account_id = get_account_id(endpoint),
  123. .common.local_addr = {
  124. .addr = &local,
  125. .transport = transport,
  126. },
  127. .common.remote_addr = {
  128. .addr = &remote,
  129. .transport = transport,
  130. },
  131. .common.session_id = call_id,
  132. .challenge = nonce,
  133. .response = response,
  134. .expected_response = "",
  135. };
  136. if (auth && !pj_strcmp2(&auth->scheme, "Digest")) {
  137. ast_copy_pj_str(nonce, &auth->credential.digest.nonce, sizeof(nonce));
  138. ast_copy_pj_str(response, &auth->credential.digest.response, sizeof(response));
  139. }
  140. security_event_populate(rdata, call_id, sizeof(call_id), &local, &remote);
  141. ast_security_event_report(AST_SEC_EVT(&chal_resp_failed));
  142. }
  143. void ast_sip_report_auth_success(struct ast_sip_endpoint *endpoint, pjsip_rx_data *rdata)
  144. {
  145. pjsip_authorization_hdr *auth = pjsip_msg_find_hdr(rdata->msg_info.msg, PJSIP_H_AUTHORIZATION, NULL);
  146. enum ast_transport transport = security_event_get_transport(rdata);
  147. char call_id[pj_strlen(&rdata->msg_info.cid->id) + 1];
  148. struct ast_sockaddr local, remote;
  149. struct ast_security_event_successful_auth successful_auth = {
  150. .common.event_type = AST_SECURITY_EVENT_SUCCESSFUL_AUTH,
  151. .common.version = AST_SECURITY_EVENT_SUCCESSFUL_AUTH_VERSION,
  152. .common.service = "PJSIP",
  153. .common.account_id = get_account_id(endpoint),
  154. .common.local_addr = {
  155. .addr = &local,
  156. .transport = transport,
  157. },
  158. .common.remote_addr = {
  159. .addr = &remote,
  160. .transport = transport,
  161. },
  162. .common.session_id = call_id,
  163. .using_password = auth ? (uint32_t *)1 : (uint32_t *)0,
  164. };
  165. security_event_populate(rdata, call_id, sizeof(call_id), &local, &remote);
  166. ast_security_event_report(AST_SEC_EVT(&successful_auth));
  167. }
  168. void ast_sip_report_auth_challenge_sent(struct ast_sip_endpoint *endpoint, pjsip_rx_data *rdata, pjsip_tx_data *tdata)
  169. {
  170. pjsip_www_authenticate_hdr *auth = pjsip_msg_find_hdr(tdata->msg, PJSIP_H_WWW_AUTHENTICATE, NULL);
  171. enum ast_transport transport = security_event_get_transport(rdata);
  172. char nonce[64] = "", call_id[pj_strlen(&rdata->msg_info.cid->id) + 1];
  173. struct ast_sockaddr local, remote;
  174. struct ast_security_event_chal_sent chal_sent = {
  175. .common.event_type = AST_SECURITY_EVENT_CHAL_SENT,
  176. .common.version = AST_SECURITY_EVENT_CHAL_SENT_VERSION,
  177. .common.service = "PJSIP",
  178. .common.account_id = get_account_id(endpoint),
  179. .common.local_addr = {
  180. .addr = &local,
  181. .transport = transport,
  182. },
  183. .common.remote_addr = {
  184. .addr = &remote,
  185. .transport = transport,
  186. },
  187. .common.session_id = call_id,
  188. .challenge = nonce,
  189. };
  190. if (auth && !pj_strcmp2(&auth->scheme, "digest")) {
  191. ast_copy_pj_str(nonce, &auth->challenge.digest.nonce, sizeof(nonce));
  192. }
  193. security_event_populate(rdata, call_id, sizeof(call_id), &local, &remote);
  194. ast_security_event_report(AST_SEC_EVT(&chal_sent));
  195. }
  196. void ast_sip_report_req_no_support(struct ast_sip_endpoint *endpoint, pjsip_rx_data *rdata,
  197. const char* req_type)
  198. {
  199. enum ast_transport transport = security_event_get_transport(rdata);
  200. char call_id[pj_strlen(&rdata->msg_info.cid->id) + 1];
  201. struct ast_sockaddr local, remote;
  202. struct ast_security_event_req_no_support req_no_support_event = {
  203. .common.event_type = AST_SECURITY_EVENT_REQ_NO_SUPPORT,
  204. .common.version = AST_SECURITY_EVENT_REQ_NO_SUPPORT_VERSION,
  205. .common.service = "PJSIP",
  206. .common.account_id = get_account_id(endpoint),
  207. .common.local_addr = {
  208. .addr = &local,
  209. .transport = transport,
  210. },
  211. .common.remote_addr = {
  212. .addr = &remote,
  213. .transport = transport,
  214. },
  215. .common.session_id = call_id,
  216. .request_type = req_type
  217. };
  218. security_event_populate(rdata, call_id, sizeof(call_id), &local, &remote);
  219. ast_security_event_report(AST_SEC_EVT(&req_no_support_event));
  220. }
  221. void ast_sip_report_mem_limit(struct ast_sip_endpoint *endpoint, pjsip_rx_data *rdata)
  222. {
  223. enum ast_transport transport = security_event_get_transport(rdata);
  224. char call_id[pj_strlen(&rdata->msg_info.cid->id) + 1];
  225. struct ast_sockaddr local, remote;
  226. struct ast_security_event_mem_limit mem_limit_event = {
  227. .common.event_type = AST_SECURITY_EVENT_MEM_LIMIT,
  228. .common.version = AST_SECURITY_EVENT_MEM_LIMIT_VERSION,
  229. .common.service = "PJSIP",
  230. .common.account_id = get_account_id(endpoint),
  231. .common.local_addr = {
  232. .addr = &local,
  233. .transport = transport,
  234. },
  235. .common.remote_addr = {
  236. .addr = &remote,
  237. .transport = transport,
  238. },
  239. .common.session_id = call_id
  240. };
  241. security_event_populate(rdata, call_id, sizeof(call_id), &local, &remote);
  242. ast_security_event_report(AST_SEC_EVT(&mem_limit_event));
  243. }